← Back to all briefings

Infrastructure · Credibility 79/100 · · 5 min read

Infrastructure Risk Governance Briefing — December 13, 2024

The U.S. Financial Stability Oversight Council's 2024 annual report spotlights cloud concentration, critical third parties, and AI model risk that financial operators must factor into resilience roadmaps.

Executive briefing: The Financial Stability Oversight Council (FSOC) published its 2024 Annual Report, warning that cloud concentration, cybersecurity gaps, and rapid adoption of AI models across the financial sector demand stronger operational resilience and supervisory coordination. Zeph Tech is mapping the findings to U.S. banking client remediation plans, emphasizing board governance and testing cadence.

Key risk themes

  • Critical third parties. FSOC reiterated that dependence on a small set of cloud and SaaS providers elevates systemic risk, urging agencies to advance the Office of the Comptroller of the Currency (OCC) and Federal Reserve third-party risk management frameworks.
  • Cyber resilience. The report cites increased ransomware activity and geopolitical cyber operations targeting financial market utilities, calling for sector-wide tabletop exercises and expanded incident reporting coordination.
  • AI governance. FSOC highlighted model risk management gaps as firms deploy generative AI for customer service and fraud detection, recommending adherence to NIST AI Risk Management Framework profiles and model documentation expectations.

Control alignment

  • FFIEC Business Continuity Handbook. Validate resilience testing scenarios against FSOC's cloud disruption examples, including provider outage and data corruption drills.
  • SR 11-7 model risk management. Expand inventory and validation routines for AI and machine learning systems cited in the report.

Detection and response priorities

  • Coordinate with cloud providers on recovery time objectives (RTOs) and telemetry sharing to match FSOC's expectations for critical third parties.
  • Exercise joint incident response with clearing and settlement partners, incorporating ransomware double-extortion and destructive scenarios raised by FSOC.

Enablement moves

  • Brief boards and risk committees on FSOC's recommendations, identifying budget requirements for resilience testing, AI governance tooling, and supplier assessments.
  • Update regulatory engagement plans to address potential new authorities for supervising critical service providers highlighted by FSOC.

Sources

Zeph Tech supports financial institutions with cross-cloud resilience design, AI model governance, and regulatory engagement strategies anchored to FSOC directives.

  • FSOC annual report
  • Cloud concentration
  • Financial services resilience
  • AI governance
Back to curated briefings